February 15, 2005

Disclosure - "no stupid embargos" says Linus

The Linux community just set up a new way to report security bugs. In the debate, it transpires that Linus Torvalds laid down a firm position of "no delay on fix disclosures." Having had a look at some security systems lately, I'm inclined to agree. It may be that delays make sense to let vendors catch up. That's the reason most quoted, and it makes entire logical sense. But, that's not what happens.

The process then gets hijacked for other agendas, and security gets obscured. Thinking about it, I'm now viewing the notion of security being discussed behind closed doors with some suspicion; it's just not clear how security by obscure committees divides their time between "ignoring the squeeky wheels" and "create space to fix the bugs." I've sent messages on important security issues to several closed security groups in the last 6 months, and universally they've been ignored.

So, zero days disclosure is my current benchmark. Don't like it? Use a closed product. Especially when considered that 90% of the actual implementations out there never get patched in any useful time anyway...

Ian, the reports that the kernel developers have adopted a new security process are very premature. So far, Linus has not accepted a patch which documents the new model. In the meantime, several more vulnerabilities have been disclosed without the kernel developers issuing security notes. For example, Ubuntu has released an alleged security fix for a vulnerability in the IP forwarding path, but nobody knows if their analysis is correct.

In one aspect, Linus' distrust against vendors is very symptomatic for the kernel development as a whole: He doesn't view himself and his codevelopers as a vendor, even though many users still download, compile and run vanilla kernels from kernel.org. Consequently, the kernel developers do not publish official security patches or even security advisories. GNU/Linux distributions had to live with this odd behavior and therefore took initiative, handling security bugs on their own. I can hardly blame them for that.